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Abstract 



Cloud Computing refers to manipulating, configuring, and accessing the 
applications online. It offers online data storage, infrastructure and application. 
In order to achieve safe cloud storage, policy based file access control, policy 
based file assured deletion and policy based renewal of a file stored in a cloud 
environment, a suitable encryption technique with key management should be 
applied before outsourcing the data. In this paper a decentralized access control 
scheme is proposed for secure cloud storage by providing access to the files with 
the policy based file access using Attribute Based Encryption (ABE) and Attribute 
Based Signature (ABS) scheme. In the proposed scheme, the cloud verifies the 
authenticity of the series without knowing the user’s identity before storing data 
and also has the added feature of access control in which only valid users are able 
to decrypt the stored information. The scheme prevents replay attacks and 
supports creation, modification, and reading data stored in the cloud. 



1. Introduction 



Cloud computing is a computing paradigm, where a large pool of systems are connected in private 
or public networks, to provide dynamically scalable infrastructure for application, data and file 
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storage. With the advent of this technology, the cost of computation, application hosting, content 
storage and delivery is reduced significantly. It is a practical approach to experience direct cost 
benefits and it has the potential to transform a data center from a capital-intensive set up to a 
variable priced environment. 




Figure 1: Example diagram for data sharing with cloud storage. 

The idea of cloud computing is based on a very fundamental principal of reusability of IT 
capabilities'. The difference that cloud computing brings compared to traditional concepts of “grid 
computing”, “distributed computing”, “utility computing”, or “autonomic computing” is to broaden 
horizons across organizational boundaries. Even cloud storage is more flexible, how the security 
and privacy are available for the outsourced data becomes a serious concern. 



1.1 .Objectives 



There are three objectives: 

• Confidentiality - preserving authorized restrictions on information access and disclosure. The 
main threat accomplished when storing the data with the cloud. 

• Integrity - guarding against improper information modification or destruction. 

• Availability - ensuring timely and reliable access to and use of information, store their data. 
Remote backup system is the advanced concept which reduces the cost for implementing more 
memory in an organization. 



To achieve secure data transaction in cloud, suitable cryptography method is used. The data owner 
must encrypt the file and then store the file to the cloud. If a third person downloads the file, he/she 
may view the record if he/she had the key which is used to decrypt the encrypted file. Sometimes 
this may be failure due to the technology development and the hackers. To overcome the problem 
there are lot of techniques introduced to make secure transaction and secure storage. 

There are three types of access control: user-based access control (UBAC), role-based access 
control (RBAC), and attribute -based access control (ABAC). 

In UBAC, the access control list contains the list of users who are authorized to access data. This is 
not possible in clouds where there are many users. In RBAC users are classified based on their own 
roles. Data should be accessed by users who have matching roles. The roles are declared by the 
system. ABAC is more extended in scope, in which users are given attributes, and the data has 
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attached access policy. Only users with valid set of attributes and satisfying the access policy, can 
access the data. Only when the users have matching set of attributes, they have decrypting the 
information stored in the cloud. 



1.2 Cryptographic Keys 



Cryptographic keys used to protect data files stored on the cloud are: 

• Public Key: The Public key is a random generated binary key, generated and maintained by the 
Key manager itself. Particularly used for encryption/ decryption. 

• Private Key: It is the combination of the username, password and two security question of 
user’s choice. The private key is maintained by client itself. Used for encrypt / decrypt the file. 

• Access Key: It is associated with a policy. Private access key is maintained by the client. The 
access key is built on attribute based encryption. File access is of read or write. 

• Renew Key: Maintained by the client itself. Each has its own renew key. The renew key is 
used to renew the policy of each necessary file at easy method. 



2. Related Work 



A centralized technique is used where a single key distribution center (KDC) distributes secret keys 
and attributes to all the users. Unfortunately, a single KDC is not only a single data of failure but 
difficult to maintain because of the large number of users that are supported in a cloud 
environment. The receiver receiving the attributes and secret keys from the attribute authority and 
is able to decrypt the information if it has matching attributes. All the technique takes a centralized 
approach and allows only one KDC, which is a single point of failure. 

A new scheme is proposed by Chase in which there are several KDC authorities (coordinated by a 
trusted authority) which distribute attributes and secret keys of the users. However, the presence of 
one proxy and one KDC makes it less robust than decentralized approach. A new scheme given by 
Maji et al. takes a decentralized approach and provides authentication without disclosing the 
identity of the users. 



2.1 .Background 



Mathematical Background: 

Properties: 

a. e(aP,bQ) =e(P,Q) ab for all P,Q s G and a,b s Zq, 
Zq ={0, 1, 2, . . . , q -1 }. 

b. No degenerate: e(g, g) ^1. 

Attribute-Based Encryption: 

a) System setup 

b) Key Generation 

c) Encryption 

d) Decryption 

Attribute-Based Signature Scheme: 

a) System setup 

b) Key generation 

c) Sign 

d) Verify 
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3. Proposed Scheme 



The proposed privacy preserving authenticated access control scheme consists of use of the two 
protocols ABE and ABS. The detailed description of model is as follows: 

There are three users, a creator, a reader, and writer. 

Creator Alice receives a token y from the trustee, who is assumed to be honest. A trustee can be 
someone like the federal government who manages social insurance numbers etc. On presenting her 
id (like health/social insurance number), the trustee gives her a token. There are multiple KDCs 
(here 2), which can be scattered. For example, these can be servers in different parts of the world. A 
creator on presenting the token to one or more KDCs receives keys for encryption/decryption and 
signing. In the Figure 2, SKs are secret keys given for decryption, Kx are keys for signing. 

The message MSG is encrypted under the access policy %. The access policy decides who can 
access the data stored in the cloud. The creator decides on a claim policy y, to prove her 
authenticity and signs the message under this claim. The ciphertext C with signature is c, and is sent 
to the cloud. 

The cloud verifies the signature and stores the ciphertext C. When a reader wants to read, the cloud 
sends C. If the user has attributes matching with access policy, it can decrypt and get back original 
message. Write proceeds in the same way as file creation. 

By designating the verification process to the cloud, it relieves the individual users from time 
consuming verifications. When a reader wants to read some data stored in the cloud, it tries to 
decrypt it using the secret keys it receives from the KDCs. If it has enough attributes matching with 
the access policy, then it decrypts the information stored in the cloud. 





Figure 2: Cloud secure storage model 



4. Algorithms Used 



Two algorithms which are proposed are ABE and ABS is implemented in Java. As the 
implementation will be done in Java all the object oriented features and security will be seen in the 
implementation. This will make the proposed system more efficient. 
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4.1 Attribute Based Encryption (ABE) 



It is a public-key encryption type in which the secret key of a user and the cipher text are dependent 
upon attributes. In such a system, the decryption of a cipher text is possible only if the set of 
attributes of the user key matches the attributes of the cipher text. Attribute -based encryption (ABE) 
can be used for log encryption. It is an approach that reconsiders the concept of public -key 
cryptography. In traditional public -key cryptography, a message is encrypted for a specific receiver 
using the receiver’s public-key. Identity-based cryptography and in particular identity -based 
encryption (IBE) changed the traditional understanding of public -key cryptography by allowing the 
public-key to be an arbitrary string, e.g., the email address of the receiver. ABE goes one step 
further and defines the identity not atomic but as a set of attributes, e.g., roles, and messages can be 
encrypted with respect to subsets of attributes (key -policy ABE - KP-ABE) or policies defined over 
a set of attributes (cipher text-policy ABE - CP-ABE). The key issue is that someone should only 
be able to decrypt a cipher text if the person holds a key for "matching attributes" (more below) 
where user keys are always issued by some trusted party. 

ABE has following steps: 

• Setup: The setup algorithm takes no input other than the implicit security parameter. It 
outputs the public parameters PK & a master key MK. 

• Key Generation (MK,S): The key generation algorithm takes as input the master key MK & 
a set of attributes S that describes the key. It outputs a private key SK. 

• Encrypt (PK, A, M): The encryption algorithm takes as input the public parameters PK, a 
message M, and an access structure A over the universe of attributes. The algorithm will 
encrypt M 7 produce a ciphertext CT such that only a user that possesses a set of attributes 
that satisfies the access structure will be able to decrypt the message. Assume that 
ciphertext implicitly contains A. 

• Decrypt(PK,CT,SK): The decryption algorithm takes as input the public parameters PK, a 
ciphertext CT which contains an access policy A, & a private key SK, which is a private 
key for a set of attributes. If the set S of attributes satisfies the access structure A then the 
algorithm will decrypt the ciphertext & return a message M. 



4.2 Cipher Text-Policy ABE 



In cipher text-policy attribute-based encryption (CP-ABE) a user’s private-key is associated with a 
set of attributes and a cipher text specifies an access policy over a defined universe of attributes 
within the system. A user will be able to decrypt a cipher text, if and only if his attributes satisfy the 
policy of the respective cipher text. Policies may be defined over attributes using conjunctions, 
disjunctions and (£,?z)(k,n)-threshold gates, i.e., kk out of nn attributes have to be present (there may 
also be non-monotone access policies with additional negations and meanwhile there are also 
constructions for policies defined as arbitrary circuits). For instance, let us assume that the universe 
of attributes is defined to be [A,B,C,D}{ A,B,C,D} and user 1 receives a key to attributes 
{A,B}{A,B} and user 2 to attribute {D}{D}. If a cipher text is encrypted with respect to the policy 
(AaC)VD(AaC)VD, then user 2 will be able to decrypt, while user 1 will not be able to decrypt. 



4.3 Key-Policy ABE 



KP-ABE is the dual to CP-ABE in the sense that an access policy is encoded into the users secret 
key, e.g., (AaC)VD(AaC)VD, and a ciphertext is computed with respect to a set of attributes, e.g., 
{A,£}{A,B}. In this example the user would not be able to decrypt the ciphertext but would for 
instance be able to decrypt a ciphertext with respect to {A,C} { A,C}. 
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5. Attribute Based Signature 



Attribute based signatures (ABS) is a cryptographic technique in which users produce signatures 
based on some predicate of attributes, using keys issued by one or more attribute authorities. Users 
cannot forge signatures with attributes they do not possess even through colluding. On the other 
hand, a legitimate signer remains anonymous without the fear of revocation and is indistinguishable 
among all the users whose attributes satisfying the predicate specified in the signature. Under this 
notion, a signature attests not to the identity of the individual who signed a message, but a claim 
regarding the attributes the underlying signer possesses. ABS has largely been inspired by attribute 
based encryption schemes n like other signature schemes attribute based systems are capable of 
supporting complex predicate policies. ABS provides guarantees of enforceability and signer 
secrecy. 





Figure 3: Attribute Based Encryption (ABE) 

• Setup Algorithm is proceeding by the trusted agency. It accepts a security key d as an 
input 7 produce a set of public key ( pk ) with the corresponding master private key (sk). 

• Key Generation Algorithm accepts the master private key sk with the signer attribute set 
U B as an input to give the signer set secret key k L 

• Signing Algorithm It accepts a signer secret key k 1} public key pk, the predetermined 
threshold t an integer, the attribute subset [/* and the document m to create the signature s. 

• Verification Algorithm is done by the verifier.it yields 1 if the signature s on the 
document m is signed by the legitimate signer who have t out of n attributes in an attribute 
subset U* that is \U B fi U* \ >t 



Comparison With Other Access Control Schemes In Cloud 



We compare other access control schemes with our scheme and show how our scheme supports 
many features that the other schemes did not support many writes like 1-W-M-R and M-W-M-R 
but our scheme support. Compared with other schemes, our scheme is decentralized and robust. Our 
scheme support user revocation, most of others is not supported. In most of the other schemes, 
cloud knows the access policy for each and every record that is stored in cloud, in our schemes we 
would hide the attributes and access policy of user. 



6. Conclusion 



We have presented the identity and authentication of data stored in cloud, along with A 
decentralized access control technique with secret authentication which provides user revocation 
and prevents replay attacks. The files are associated with file access policies, that used to access the 
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files placed on the cloud. More security is assured when uploading and downloading of a file to a 
cloud is performed with standard Encryption/Decryption techniques. The cloud does not know the 
identity of the user who stores information, but only verifies the user’s credentials. 
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